向外部流量打开主机网络上运行的docker端口

如何让运行gunicorn/FastAPI服务器的docker容器响应外部流量?

我的容器就是这样运行的

docker run --detach --net host -v "/path/to/app/app":"/app" -it me/app:appfastapi_latest /start.sh

cat start.sh
#! /usr/bin/env sh
set -e

# Start Gunicorn
exec gunicorn -k "uvicorn.workers.UvicornWorker" -c /app/gunicorn_conf.py "main:app"

cat ./app/gunicorn_conf.py
...
host = "0.0.0.0"
port = "8000"
bind = f"{host}:{port}"
...

docker logs container_id

...
[2022-02-15 05:40:10 +0000] [1] [INFO] Listening at: http://127.0.0.1:8000 (1)

^^^ this was before a fix in the conf, now its
0.0.0.0:8000
...

从主机上卷曲容器

curl localhost:8000/hw                                                                                                                 {"message":"Hello World"}

应该是这样的。但当我这么做的时候

curl domain:8000/hw
curl: (7) Failed to connect to domain port 8000: Connection refused

我不知道如何解决这个问题。在FastAPI main中,我有

ORIGINS = [
    "http://127.0.0.1:8000",
    "http://localhost:8000",
    "http://domain:8000",
]


app = FastAPI(title="MY API", root_path=ROOT_PATH, docs_url="/")
app.add_middleware(
    CORSMiddleware,
    allow_origins=ORIGINS,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

我打开了防火墙(我相信)

sudo iptables -L                                                                                                                       
Chain INPUT (policy ACCEPT)                                                                                                                                           
target     prot opt source               destination                                                                                                                  
ACCEPT     tcp  --  172.17.0.2           anywhere             tcp dpt:mysql                                                                                           
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000                                                                                            
                                                                                                                                                                      
Chain FORWARD (policy DROP)                                                                                                                                           
target     prot opt source               destination                                                                                                                  
DOCKER-USER  all  --  anywhere             anywhere                                                                                                                   
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere                                                                                                      
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED                                                                             
DOCKER     all  --  anywhere             anywhere                                                                                                                     
ACCEPT     all  --  anywhere             anywhere                                                                                                                     
ACCEPT     all  --  anywhere             anywhere 

Chain OUTPUT (policy ACCEPT)                                                                                                                                          target     prot opt source               destination                                                                                                                                                                                                                                                                                        Chain DOCKER (1 references)                                                                                                                                           target     prot opt source               destination                                                                                                                                                                                                                                                                                        Chain DOCKER-ISOLATION-STAGE-1 (1 references)                                                                                                                         target     prot opt source               destination                                                                                                                  DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere                                                                                                      RETURN     all  --  anywhere             anywhere                                                                                                                                                                                                                                                                                           Chain DOCKER-ISOLATION-STAGE-2 (1 references)                                                                                                                         target     prot opt source               destination                                                                                                                  DROP       all  --  anywhere             anywhere                                                                                                                     RETURN     all  --  anywhere             anywhere

我为港口开的 8000 具有

sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

我使用的系统是Debian9,

docker --version
Docker version 19.03.15, build 99e3ed8919